feat(cosmos): mitigate install-bundle RPC limits by chunking

[michaelfig]

closes: #XXXX
refs: #XXXX

Description

Security Considerations

Scaling Considerations

Documentation Considerations

Testing Considerations

Upgrade Considerations

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	6dcbe8c
Status:	✅  Deploy successful!
Preview URL:	https://c4b13578.agoric-sdk.pages.dev
Branch Preview URL:	https://mfig-bundle-chunks.agoric-sdk.pages.dev

View logs

[gibson042]

First-pass comments, limited to the RPC/protobuf API.

[gibson042]

Suggested change

	// Send a chunk of a bundle to tolerate bandwidth constraints.
	// Send a chunk of an artifact to tolerate RPC message size constraints.

[gibson042]

Suggested change

	// Either bundle, compressed_bundle, or bundle_chunks will be set.
	// Of the fields for (complete, uncompressed) bundle, (complete) compressed
	// bundle, and chunked bundle, exactly one must be non-empty.

[gibson042]

Suggested change

	// MsgInstallBundleResponse is an empty acknowledgement that an install bundle
	// message has been queued for the SwingSet kernel's consideration.
	// MsgInstallBundleResponse is either an empty acknowledgement that an install
	// bundle message has been queued for the SwingSet kernel's consideration, or
	// (for install bundle messages that specify chunking) a container for the
	// assigned id with which chunks must be associated.

[gibson042]

Suggested change

// The assigned pending installation, if chunks were specified.

[gibson042]

There's no analog for this in MsgInstallBundle for the full uploads... what purpose is it serving here? If we're worried about corruption from someone uploading a chunk of a bundle without authority to do so, then I think we should instead be using cryptographic security (e.g., the initiator indicates authorized public keys). But in any case, we can't have such a field without documenting how to determine the associated algorithm (e.g., SHA-512).

[gibson042]

Suggested change

	int64 start_block = 4 [
	(gogoproto.jsontag) = "start_block",
	(gogoproto.moretags) = "yaml:\"start_block\""
	];
	int64 start_height = 4 [
	(gogoproto.jsontag) = "start_height",
	(gogoproto.moretags) = "yaml:\"start_height\""
	];

[gibson042]

Suggested change

	// The maximum number of blocks that an async installation can use. -1 is
	// unlimited.
	int64 installation_deadline_blocks = 7 [
	(gogoproto.jsontag) = "installation_deadline_blocks",
	(gogoproto.moretags) = "yaml:\"installation_deadline_blocks\""
	];
	// The maximum number of seconds that an async installation can use. -1 is
	// unlimited.
	int64 installation_deadline_seconds = 8 [
	(gogoproto.jsontag) = "installation_deadline_seconds",
	(gogoproto.moretags) = "yaml:\"installation_deadline_seconds\""
	];
	// The maximum number of blocks between creation of a chunked artifact and
	// receipt of its final chunk. -1 is unlimited.
	int64 chunked_artifact_deadline_blocks = 7 [
	(gogoproto.jsontag) = "chunked_artifact_deadline_blocks",
	(gogoproto.moretags) = "yaml:\"chunked_artifact_deadline_blocks\""
	];
	// The maximum number of seconds between creation of a chunked artifact and
	// receipt of its final chunk. -1 is unlimited.
	int64 chunked_artifact_deadline_seconds = 8 [
	(gogoproto.jsontag) = "chunked_artifact_deadline_seconds",
	(gogoproto.moretags) = "yaml:\"chunked_artifact_deadline_seconds\""
	];

[gibson042]

Suggested change

	// Doubly-linked list in order of start block and time.
	uint64 first_pending_id = 2 [
	(gogoproto.jsontag) = "first_pending_id",
	(gogoproto.moretags) = "yaml:\"first_pending_id\""
	];
	// The last pending id that has not expired or completed.
	uint64 last_pending_id = 3 [
	(gogoproto.jsontag) = "last_pending_id",
	(gogoproto.moretags) = "yaml:\"last_pending_id\""
	];
	// The head of a doubly-linked list of pending chunked artifacts ordered by
	// ascending start block and time (i.e., the ID of the oldest).
	uint64 first_chunked_artifact_id = 2 [
	(gogoproto.jsontag) = "first_chunked_artifact_id",
	(gogoproto.moretags) = "yaml:\"first_chunked_artifact_id\""
	];
	// The tail of a doubly-linked list of pending chunked artifacts ordered by
	// ascending start block and time (i.e., the ID of the youngest).
	uint64 last_chunked_artifact_id = 3 [
	(gogoproto.jsontag) = "last_chunked_artifact_id",
	(gogoproto.moretags) = "yaml:\"last_chunked_artifact_id\""
	];

[gibson042]

What are the definitions of these states?

[gibson042]

Suggested change

	// The pending installation node in the doubly-linked list of pending
	// installations in descending order of age. This is used to track the state of
	// a pending installation and to expire them efficiently.
	message PendingInstallNode{
	// The id of the pending bundle installation.
	uint64 pending_id = 1 [
	// A node in the doubly-linked list of pending chunked artifacts ordered by
	// ascending start block and time. This is used to efficiently expire stale
	// chunked artifacts.
	message PendingInstallNode{
	// The id of the incomplete chunked artifact.
	uint64 chunked_artifact_id = 1 [